Remote Desktop Application Duo Access Only and 2FA Requirements

I am new to Duo and don’t have it installed yet as I have some questions about whether it would be right for our environment.

We have 7 computers in our LAN which is behind a physical firewall. Users use the Remote Desktop application to get their desktops remotely. At the office, it is not uncommon for someone to log into another person’s desktop as that person.

Can Duo be set up so that 2FA be set up only when coming in through the Remote Desktop application but not require 2FA when they are locally at their computers?

When using 2FA, is there an app that runs on the phone? Will this app run on any phone or are their certain IOS or Android versions required. I could not find that in the requirements section of the basic documentation I looked at.

Maybe I am misunderstanding completely how Duo works. If that is the case, I would appreciate a link that would help me correct my understanding.

Thanks in advance.

Hi @nekton181, welcome to the Duo Community! Thanks for sharing your question here with us. I’ll be happy to answer you and provide as much guidance as I can :slight_smile:

Yes, to do this you will just need to select the “Only prompt for Duo authentication when logging in via RDP” option in the installer. You can read more on this in the Important Notes section of our documentation.

Yes, Duo Mobile is our mobile authenticator app you can use to approve Duo Push notifications for certain protected applications (including Windows Logon for RDP) and generate passcodes. You can see which versions of Android and iOS are currently supported in the following articles:

ETA: I hope that helps! Please let me know if you have any other questions I can assist with.

1 Like

Hi Amy,

These links were extremely helpful. Thanks!

One thing I am still want to make sure I have got straight is that older phones can still be used even if they cannot run the app by choosing SMS text messaging to get an authentication code. It seems like the documentation says that is the case, but I want to be 100% sure.

Thanks so much!

Glad you found them helpful! Yes, older phones are still able to authenticate via SMS text messages even if they cannot install the Duo Mobile app.

1 Like

Thanks Amy!

I don’t know if I should start a new thread or not, but I am also wondering if multiple phones can be assigned to a device. I want the employee to be authenticated with Duo, but I as an IT person will also need to access the device remotely. Is there a link to how this is accomplished? It must be a fairly common scenario.

@nekton181 Phones in Duo get assigned to a person, not to a computer. So the phone attached to your Duo user can be used for 2FA for any of your Duo-protected applications.

Getting Started - a very basic overview of how to begin a Duo rollout, and these specifically are the steps you could take to roll Duo out to these LAN computers:

  1. Sign up for Duo and get your Duo admin account all set (this is the login you use to manage your Duo account and perform administrative actions in the Duo cloud service).
  2. Figure out what application you want to protect and follow those instructions. Based on what you shared in your original post, you likely want Duo for Windows Logon and RDP. You would install this application on every Windows computer where you want people to log in with two-factor authentication.
  3. That Duo for Windows application requires that you set your end users up in Duo before they can log in, and the very simplest way to do that is for you to create an end user in Duo, then create a phone for 2FA in Duo and attach it to the end user. If the phone is running recent iOS/Android, you can go on to send Duo Mobile app install and activation info to those users.
  4. If you also need to log in to these Windows computers after installing Duo, then don’t forget to perform step 3 for yourself (create a Duo end user for you, and attach your phone).

Hope that helps!

1 Like